Re: NTLM in Win32 VNC

Paul Ashton ()
Tue, 23 Jun 1998 11:03:11 +0200

said:
> I have started to add NTLM authentication to the Win32 VNC client and
> server. If you run the VNC server on Windows NT, and connect with a Win32
> client (either NT or 95), your credentials will be authorized through SSPI
> (Security Support Provider Interface) instead of a simple
> challenge-response password. That is, your logon credentials for your
> workstation will be (securely) passed to the server, so the server can find
> out what your network logon name is.

> 1. Since this isn't applicable outside the Windows world, is this something
> you'd consider adding to VNC?

I'd hope not.

NTLM authentication is terribly insecure and should only really be
used over an encrypted tunnel.

The protocol only authenticates the client and not the server.

The server can issue the client with any chosen challenge including
one obtained during an attempt to access a remote resource as the
current client. i.e. C->VNC-Server I am Alice, VNC-Server->File-Server
I am Alice, FS->VNCS Nonce1, VNCS->C Nonce1, C->VNCS E(PW,Nonce1),
VNCS->FS E(PW,Nonce1), VNCS is now authenticated to File-Server as
Alice.

The server can precompute a dictionary using a given challenge
and always issue it to the client then immediately do a look up
in the database. This was "solved" in IE4 by using the zone
feature whereby clients only send Challenge-Responses to
"trusted" hostnames (yeah, remember DNS security?).

A valid challenge response pair can be used by a workstation
to ask the domain controller for the user's password! See
ntbugtraq.

It's the worst protocol I've ever seen.

Cheers,
Paul

This archive was generated by on Wed Feb 03 1999 - 15:34:51 GMT